[PATCH bpf v2 2/4] bpf: Add check iph->ihl < 5 in lwt

Next message: Sean Christopherson: "[PATCH v4 29/47] x86/kvmclock: Move sched_clock save/restore helpers up in kvmclock.c"
Previous message: Dario Binacchi: "[PATCH v2 11/15] arm64: dts: st: add usart1 pins for stm32mp25"
In reply to: Alexei Starovoitov: "Re: [PATCH bpf v2 1/4] bpf: Fix TOCTOU issue in lwt"
Next in thread: Leon Hwang: "[PATCH bpf v2 3/4] bpf: Update transport_header when encapsulating UDP tunnel in lwt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Leon Hwang

Date: Fri May 29 2026 - 11:30:53 EST

Sashiko pointed out [1]: On architectures like MIPS, the while-loop won't
stop in ip_fast_csum().

To avoid such issues caused by invalid iph->ihl in lwt, add check
"iph->ihl < 5" in bpf_lwt_push_ip_encap() to make sure iph->ihl is valid.

[1] https://lore.kernel.org/bpf/20260525150010.CDEBA1F000E9@xxxxxxxxxxxxxxx/

Fixes: 52f278774e79 ("bpf: implement BPF_LWT_ENCAP_IP mode in bpf_lwt_push_encap")
Signed-off-by: Leon Hwang <leon.hwang@xxxxxxxxx>
---
net/core/lwt_bpf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c
index 8009e427851f..c306120e11d2 100644
--- a/net/core/lwt_bpf.c
+++ b/net/core/lwt_bpf.c
@@ -613,7 +613,7 @@ int bpf_lwt_push_ip_encap(struct sk_buff *skb, void *hdr, u32 len, bool ingress)
iph = (struct iphdr *)buff;
if (iph->version == 4) {
ipv4 = true;
- if (unlikely(len < iph->ihl * 4))
+ if (unlikely(iph->ihl < 5 || len < iph->ihl * 4))
return -EINVAL;
} else if (iph->version == 6) {
ipv4 = false;
--
2.54.0